Often, there are some messages that you know you will never store in any log file. Even worse, these messages are sometimes very frequently emitted. There are various ways to get rid of those unwanted messages.

First of all, you need to identify them. Then look carfully and see what is special with these messages. A common case may be that they contain a specific text inside the message itself. If so, you can filter on that text and discard anything that matches. You need to be careful, though: if there are other messages matching this text, these other messages will also be discarded. So it is vital to make sure the text you use is actually unique.

In the sample below, let’s assume that you want to discard messages that contain either the text "user nagios" or "module-alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write". The later is an actual sample from pulseaudio, which is known to spam syslog with an enourmous volume of these messages.

Note that these are just two lines. The second to forth line are just broken for printing purposes. These two must be on a single line in an actual rsyslog.conf.

How it works

Note that the statements are placed on top of rsyslog.conf. This makes them being executed before any other action statement. So each message received will be checked against the two string and be discarded, if a match is found. Note that you can move the discard action to another place inside rsyslog.conf if you would like to write the messages to some files, but not to others. For example, this configuration:

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# do not log the following to other files

:msg, contains, "user nagios" ~

:msg, contains, "module-alsa-sink.c: ALSA woke us up to

write new data to the device, but there was actually

nothing to write" ~

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* /var/log/maillog

logs all messages to /var/log/messages, even those that then shall be discarded.

I have Rsyslog v5.x running on OpenSuse 11 with the following rules –
which is working properly. whereas I installed / upgraded to Rsyslog
v7.2.3 with Open Suse 12.2; after that the same set of rules are NOT
working. Kindly help, is any major changes implemented in the V7?

The rules I tested was working in Rsyslog v5 and NOT working on V7.2.3
are below:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
if ($fromhost-ip != ‘127.0.0.1’) and \
($msg contains ‘ENVMON’ or $msg contains ‘duplex mismatch’ or \
$msg contains ‘THRESHOLD_VIOLATION’) \
then -/var/log/remotelogs;RSYSLOG_TraditionalFileFormat
&~

Whereas the following RULE WORKS in both V5.x and V.7.2.3
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
if $fromhost-ip != ‘127.0.0.1’ then
-/var/log/remotelogs;RSYSLOG_TraditionalFileFormat
&~
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks for NOTHING ALL THIS WAS ALOT OF JIBBER JABBRR TO ME, didn’t know I’d have to read a.whole dictionary to get s simple answer to a simple question.I just eanted to br able to TOTALLY DISCARD some of my info. on my phone….yes, some emails &,or gmails also, because just DELETEING them.
only transfers them tk another place, it does NOT really delete them at all!!!